top | item 23955826

(no title)

jzs | 5 years ago

"Now might be a good time to change your password to something longer, or finally get onboard with 2FA."

If it becomes trivial to crack the passwords, then we're really left one factor. Unless we replace the password factor with something else.

Sqrl perhaps?

discuss

Nerada|5 years ago

Cracking good (long) passwords is far from trivial (and mathematically should remain that way), the main problem is most users pick terrible passwords.

amelius|5 years ago

The problem: users don't want long passwords.

(Though password managers can help a lot.)

paul_f|5 years ago

Not trivial. You still have to break in and get /etc/passwd or the equivalent, right? And doesn't creating a unique salt for each client also help significantly?

Rafert|5 years ago

WebAuthn is well supported across all major browsers and can be used for multifactor login without username and password.

arpa|5 years ago

Client certificates is also a thing.

mschuster91|5 years ago

And they are an utter PITA to use, everywhere in the stack...

ryanlol|5 years ago

If it’s trivial to dump password hashes, you’re probably already left with zero factors.

tialaramex|5 years ago

For a lot of things this is true, but not for WebAuthn.

Here's what my site has on file for one of my own logins:

id: AWrNx4WDVIACFXeNDG4h6R6/ppUi8oIuXJYRwaJtOxssDZybQnu8wt6Cjdc4PqztvnSxnSgLmZGRT1BTnbZjz/M=

public key: pQECAyYgASFYIFsl5O6VHyqngNHPlNmWrjGTPjLFh1jzVnhOUJGP79yVIlgg6L2rDoH/l028WsMes+MbDU0RzM2oSdTcRq+cSwz/E/k=

friendly name: unhygienix

The only thing you can do with that data is the exact thing it's intended for, checking the user has the authenticator corresponding to that ID and wants to sign into this particular web site. Also I guess you maybe learn that this user enjoyed the Asterix comics?

You can't impersonate me using that data, any more than you can impersonate Hacker News based on the data inside its TLS certificate.